Analysis
-
max time kernel
142s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi
Resource
win10v2004-20220414-en
General
-
Target
9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi
-
Size
500KB
-
MD5
847a9e7d782d0232581752856a146e5b
-
SHA1
6abe12d2ec534673f16b1a4f5f7f4082a2a2acc3
-
SHA256
9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb
-
SHA512
7380dcaf0a6fec8faebd4e90b182dda04aae4a349c3b5338e52d6222e5a70ff18cb3bc56635762a6693b79b5ec4e9ca4b9462f58fc7865bb0aafed7828a85d45
Malware Config
Signatures
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1912-62-0x0000000000980000-0x00000000009D8000-memory.dmp rezer0 -
Executes dropped EXE 1 IoCs
Processes:
MSIE247.tmppid process 1912 MSIE247.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSIDD55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE247.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6d8b5f.msi msiexec.exe File created C:\Windows\Installer\6d8b61.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6d8b5f.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 908 msiexec.exe 908 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1108 msiexec.exe Token: SeIncreaseQuotaPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeSecurityPrivilege 908 msiexec.exe Token: SeCreateTokenPrivilege 1108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1108 msiexec.exe Token: SeLockMemoryPrivilege 1108 msiexec.exe Token: SeIncreaseQuotaPrivilege 1108 msiexec.exe Token: SeMachineAccountPrivilege 1108 msiexec.exe Token: SeTcbPrivilege 1108 msiexec.exe Token: SeSecurityPrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeLoadDriverPrivilege 1108 msiexec.exe Token: SeSystemProfilePrivilege 1108 msiexec.exe Token: SeSystemtimePrivilege 1108 msiexec.exe Token: SeProfSingleProcessPrivilege 1108 msiexec.exe Token: SeIncBasePriorityPrivilege 1108 msiexec.exe Token: SeCreatePagefilePrivilege 1108 msiexec.exe Token: SeCreatePermanentPrivilege 1108 msiexec.exe Token: SeBackupPrivilege 1108 msiexec.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeShutdownPrivilege 1108 msiexec.exe Token: SeDebugPrivilege 1108 msiexec.exe Token: SeAuditPrivilege 1108 msiexec.exe Token: SeSystemEnvironmentPrivilege 1108 msiexec.exe Token: SeChangeNotifyPrivilege 1108 msiexec.exe Token: SeRemoteShutdownPrivilege 1108 msiexec.exe Token: SeUndockPrivilege 1108 msiexec.exe Token: SeSyncAgentPrivilege 1108 msiexec.exe Token: SeEnableDelegationPrivilege 1108 msiexec.exe Token: SeManageVolumePrivilege 1108 msiexec.exe Token: SeImpersonatePrivilege 1108 msiexec.exe Token: SeCreateGlobalPrivilege 1108 msiexec.exe Token: SeBackupPrivilege 852 vssvc.exe Token: SeRestorePrivilege 852 vssvc.exe Token: SeAuditPrivilege 852 vssvc.exe Token: SeBackupPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 1668 DrvInst.exe Token: SeLoadDriverPrivilege 1668 DrvInst.exe Token: SeLoadDriverPrivilege 1668 DrvInst.exe Token: SeLoadDriverPrivilege 1668 DrvInst.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe Token: SeRestorePrivilege 908 msiexec.exe Token: SeTakeOwnershipPrivilege 908 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1108 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMSIE247.tmpdescription pid process target process PID 908 wrote to memory of 1912 908 msiexec.exe MSIE247.tmp PID 908 wrote to memory of 1912 908 msiexec.exe MSIE247.tmp PID 908 wrote to memory of 1912 908 msiexec.exe MSIE247.tmp PID 908 wrote to memory of 1912 908 msiexec.exe MSIE247.tmp PID 1912 wrote to memory of 916 1912 MSIE247.tmp schtasks.exe PID 1912 wrote to memory of 916 1912 MSIE247.tmp schtasks.exe PID 1912 wrote to memory of 916 1912 MSIE247.tmp schtasks.exe PID 1912 wrote to memory of 916 1912 MSIE247.tmp schtasks.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIE247.tmp"C:\Windows\Installer\MSIE247.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\byqPAkLJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2F7.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D0" "00000000000003E4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF2F7.tmpFilesize
1KB
MD5575e77e9e0210babd29bd42e7753b299
SHA107f5d56af276a4289c29318282ccf392d089ca39
SHA2568b6e0b403fc8a4b8d1cd232bbd8d684b08b3e0fcdbb8caf9ad773e75aabeb73b
SHA512c0a19424b88321dbb3c6da997c5c606dc264da41505a79022b7b095ca66b43ad38909f0e91565fdff635215ad2d7c23c5a19085aa63b08324d837c37bd7bd26b
-
C:\Windows\Installer\MSIE247.tmpFilesize
473KB
MD5448ef95d442eddb34afa932c7127494b
SHA14910c082cd4b5f19b16f0b60480ae76e96beb4ee
SHA2566c3bc543be55d71ab8ad5865f8debf5cca5ce4596caa84d2da92144b35a04486
SHA512530438b9ad0655db70f0fcf991e32b844114a2a0ca6f7267d659180836be7a6aded0f823af0768491dd540912747ac7491e0317589a9c68a35ae609c326216ca
-
C:\Windows\Installer\MSIE247.tmpFilesize
473KB
MD5448ef95d442eddb34afa932c7127494b
SHA14910c082cd4b5f19b16f0b60480ae76e96beb4ee
SHA2566c3bc543be55d71ab8ad5865f8debf5cca5ce4596caa84d2da92144b35a04486
SHA512530438b9ad0655db70f0fcf991e32b844114a2a0ca6f7267d659180836be7a6aded0f823af0768491dd540912747ac7491e0317589a9c68a35ae609c326216ca
-
memory/916-63-0x0000000000000000-mapping.dmp
-
memory/1108-54-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000000000-mapping.dmp
-
memory/1912-59-0x00000000011D0000-0x000000000124C000-memory.dmpFilesize
496KB
-
memory/1912-60-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1912-61-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1912-62-0x0000000000980000-0x00000000009D8000-memory.dmpFilesize
352KB